Beosin: Analysis of the $25 million loss incident caused by MEV bots
ChainCatcher news, according to monitoring by the blockchain security audit company Beosin's Beosin EagleEye platform, MEV bots suffered malicious sandwich attacks, resulting in losses of approximately 25 million USD. The Beosin security team provided a brief analysis of the incident.The results are as follows:In one example of the attack, the attacker first targeted a pool with very low liquidity and tested whether the MEV bot would front-run the transaction. For instance, in the image below, we can see that the attacker tested the MEV bot with 0.04 WETH, enticing the MEV bot to engage in front-running arbitrage. It was discovered that the pool indeed had an MEV bot monitoring, and the MEV bot would use all its funds for arbitrage. On the other hand, the MEV bot used the attacker's node to mine blocks; the attacker had also been trying to see if the MEV would use his validator for block production, thus validating in advance whether the MEV bot would execute and allowing the validator to view the bundle.After successfully testing, the attacker used a large amount of tokens previously exchanged in Uniswap V3 to conduct exchange operations in the low liquidity V2 pool, enticing the MEV to use all of its WETH to front-run the purchase of worthless tokens. However, the transaction that was front-run was actually targeting the MEV's attack transaction, using a large amount of tokens to exchange for all the WETH that the MEV had just front-run.At this point, since the WETH that the MEV was front-running had already been exchanged by the attack transaction, the MEV bot's attempt to exchange back for WETH would fail.The main conditions for the attack's success may be that the MEV still uses all its funds for arbitrage in low liquidity pools, that in Uniswap V3, a small amount of funds can obtain the same tokens, while their value has been manipulated and unbalanced in the V2 pool, and that the attacker may have validator node permissions, allowing them to modify the bundle.Beosin's KYT anti-money laundering analysis platform found that the current funds are located at the addresses:0x3c98d617db017f51c6a73a13e80e1fe14cd1d8eb (19,923,735.49 USD), 0x5B04db6Dd290F680Ae15D1107FCC06A4763905b6 (2,334,519.51 USD), 0x27bf8f099Ad1eBb2307DF1A7973026565f9C8f69 (2,971,393.59 USD). (source link)